Integrating with Microsoft Active Directory for the configuration and usage of Intel Active Management Technology within the vPro platform presents advantages and considerations. Understanding the advantages, configuration requirements, and Kerberos authentication sequence will help in a successful implementation. The materials presented herein are a combination of Symantec Out-of-band management document, Intel SCS user guide, Intel AMT SDK documentation on Active Directory integration, Microsoft Technet and more. The material is provided "as-is" and is intended to help augment existing documentation based on experiences and events.
This articles series is divided into 5 key sections in relation to Intel vPro Technology and Altiris 7 environments:
The material is intended for those already familiar with the core Intel AMT usage models, how to configure the technology within Altiris Out-of-Band Management solution, and with a base familiarity of Microsoft Active Directory configuration.
Before proceeding, a quick review on why Active Directory integration may be of interest. If one of the following descriptions does not fit your environment, it may be best forego Active Directory integration keeping the configuration simple. Key reasons why Active Directory integration should be used:
- Kerberos authentication to Intel AMT
- Re-use of the existing user lists in Active Directory for role-based security
- Mutual TLS authentication will be used in the environment (very rare)
- 802.1x profiles will be used in the configuration of Intel AMT
- Interoperability among management tools and solutions
The final point raises a key requirement which occurs with Microsoft SCCM. If Microsoft SCCM with the associated Out-of-Band Console will be used in the environment, Kerberos authentication and TLS security for Intel AMT systems is required. If Microsoft SCCM will be used as the primary console for 1-to-1 and 1-to-many management of Intel vPro technology based systems, it may be best to have Microsoft SCCM own the configuration of the technology. Other management consoles or configurations may have enabled or expecting AD integration with Kerberos authentication. The Altiris environment provides flexibility by not requiring Intel AMT configuration ownership in order to utilize the technology. Hopefully the article series will help to further explain why this is the case.
In addition to interoperability with Microsoft SCCM, utilizing Kerberos authentication enables the use of command-line or other utilities in the environment without directly exposing the authentication credentials. Thus the use of Kerberos authentication relies upon a central user list, the Microsoft Active Directory, and protocols to assist with interoperability.
Overview
Over a year ago, an article was posted on using Kerberos authentication for Intel vPro Technology in an Altiris environment. A related article was posted emphasizing the use of Altiris roles and permissions based on LDAP users for role-based usage of Intel AMT. The previous articles were done out of necessity since customers were asking about role-based security, yet a general disinterest existed for Kerberos authentication in an Altiris environment. There were a variety of reasons for the disinterest, with the primary one being overall demand and readiness to use Kerberos for authentication with Intel Active Management Technology. The situation has changed for the better, as it often does.
A key difference between an Altiris 6 and Altiris 7 environment in configuring AD integration for Intel AMT is that schema extensions are no longer required. The good part is the underlying authentication sequence and Service-Principal-Names (SPNs) used are the same for Kerberos authentication. If not already familiar with the basic of Kerberos authentication in a Microsoft Active Directory environment, the following Microsoft TechNet article may be of interest: http://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx.
The diagram below provides an overview of the Kerberos authentication sequence once the environment has been configured properly. A more complete insight of the communication flows is available via the developer documentation within the Intel AMT SDK.
In the image above, a key emphasis is placed on the authentication to the Intel Management engine. The requesting user or application is authenticating to a service in the firmware of the Intel AMT client system. The unintended oversight is often stated that Kerberos authentication for Intel vPro Technology, or rather the Intel Active Management Technology inside vPro, allows authentication to the computer. The correct interpretation is authentication to the management firmware which is a service in the computer's hardware.
The above diagram and foundational Kerberos information from the Microsoft TechNet article leads to a few key considerations in using Microsoft Active Directory integration with Intel AMT:
- Secondary AD object - In connection with each computer object there will be a "user" object with the same name as the target computer object. The "user" object refers to the service within the management firmware. In the image above, the user object is vProSystem$iME.
- The "user" object will have a UserPrincipleName (UPN), which is the hostname of the computer within the Active Directory forest. (i.e. system1@company.com). The actual object is a computer class in the Active Directory, yet some unique attributes define it as a service.
This means that the client system must be joined to the domain for the base computer object to be created before configuration of Intel AMT with AD integration is performed. If the base computer object is already created, the FQDN of the client is set and known. This FQDN will be referenced by the management application or tools to locate the SPN and UPN. Having the FQDN of the client settled is important to the overall success of AD integration.
An excerpt from the Microsoft TechNet article provides additional reference: "An SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service's SPN to differentiate it from all of the other services running on that computer."
The next section of this series will address how to configure the environment and associated Intel AMT systems.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries
Read Part 2: Configuring AD Integration and Kerberos Authentication for Intel vPro Technology